Oracle® Switch ES2-72 and Oracle Switch ES2-64 Configuration Guide

Exit Print View

 
Updated: April 2015
 
 

Configure ACL Filters

The example in this task shows how to block the IP traffic from a host with an IP address of 12.0.0.100. See Basic SEFOS Topology for the topology for this task.

The filter type can be extended or standard. Standard filters filter the traffic based on the source IP address and the destination IP address. Extended filters can also specify the protocol ID, TCP/UDP port numbers, DSCP values, and flow label. In this example, the IP packets with 12.0.0.100 as the source address are filtered.

ACL filters filter packets at the hardware based on certain filtering criteria configured or programmed in the switch. The switch examines each packet to determine if it should be blocked or if it should be forwarded based on the configured access lists. Type the following commands on the SEFOS-1 switch.

  1. Connect to SEFOS.

    See Connect to SEFOS.

  2. Configure the IP address of the switch to 12.0.0.1.
    SEFOS-1# configure terminal
SEFOS-1(config)# interface vlan 1
SEFOS-1(config-if)# shutdown
SEFOS-1(config-if)# ip address 12.0.0.1  255.0.0.0
SEFOS-1(config-if)# no shutdown
SEFOS-1(config-if)# exit
SEFOS-1(config)# interface xl-ethernet 0/25
SEFOS-1(config-if)# no shutdown
SEFOS-1(config-if)# exit
SEFOS-1(config)# interface xl-ethernet 0/26
SEFOS-1(config-if)# no shutdown
SEFOS-1(config-if)# exit
  3. Create an IP filter with ID 11.
    SEFOS-1(config)# ip access-list extended 11
  4. Deny the IP traffic from host 12.0.0.100 to any network or host.
    SEFOS-1(config-ext-nacl)# deny ip host 12.0.0.100 any
SEFOS-1(config-ext-nacl)# end
  5. Ping from host A to host B.
    # ping 12.0.0.17
12.0.0.17 is alive
  6. Apply the IP filter 11 to port 25.
    SEFOS-1(config)# interface xl-ethernet 0/25
SEFOS-1(config-if)# ip access-group 11 in
SEFOS-1(config-if)# exit
SEFOS-1(config)# vlan 1
SEFOS-1(config-vlan)# ports xl-ethernet 0/25 xl-ethernet 
0/26 untagged xl-ethernet 0/25 xl-ethernet 0/26
    Note - You might see the following message if ports 25 and 26 are already in VLAN 1. If you see this message, you can ignore it.
    % Member Ports cannot be added/deleted on Default VLAN
SEFOS-1(config-vlan)# end
  7. View the configuration details.
    SEFOS-1# show access-lists
...
IP address Type                  : IPV4
...
In Port List                     : X10/25
...
Filter Action                    : Deny
Status                           : Active
  8. Send the forwarding traffic from host A to host B in the same fashion as the ping from host A to host B in Step 5.

    Packets sent from host A are not forwarded to port 26 because the filter action is set to deny. The ping to 12.0.0.17 from host A fails with no answer from 12.0.0.17.

  9. Remove the IP filter from port 25.
    SEFOS-1# configure terminal
SEFOS-1(config)# interface xl-ethernet 0/25
SEFOS-1(config-if)# no ip access-group 11 in
SEFOS-1(config-if)# end
SEFOS-1# show access-lists
...
Status                           : InActive
  10. Send the forwarding traffic from host A to host B in the same fashion as the ping from host A to host B in Step 5.

    The ping is answered from host B. Packets sent from host A are forwarded to port 26. The following two consecutive ping commands show that the deny filter action set in the ACL list was applied to one port and was removed from another port.

    # ping 12.0.0.17
no answer from 12.0.0.17
# ping 12.0.0.17
12.0.0.17 is alive

Related Information

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next